Posted on 01/30/2006 10:21:08 AM PST by Salo
In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.
“Open source would be easier [to hack],” admits ex-hacker turned security consultant Mitnick. “It's less work.”
Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called “fuzzing”.
Fuzzing means putting fake data – such as really long strings – into portions of the application that allow user input. “You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner – thus tricking the application or function into executing your own code. Hackers want to execute their own code – preferably with privileges – and then they gain control.
“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?”
Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. “Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,” he says diplomatically.
Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.
He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone.
Tech, security pings.
Mitnick is ancient news. He's irrelavent.
I seem to recall that Mitnick was not nearly as good as he claimed to be--someone said there are IRC transcripts where ol' Mitnick is asking other people to compile and link his exploit code for him, because he didn't know how.
Considering the damage this scumbag caused to corporate info systems in his heyday, I'd prefer Mitnik rot in prison for the rest of his life.
He cannot be trusted. To see him getting fame and money from his exploitation is very disheartening.
True dat.
Leo Laporte had/has a major hard-on for the guy on TechTv.
I thought as part of his sentence he couldn't touch computers.
Wow, this guy is smart. /sarcasm off
Your smoking dope. Mitnick was damn good, and so were plenty of other people that never got caught, and have good paying legit jobs today.
What a crybaby. Mitnick never caused anything resembling damage to "corporate info systems" the only thing he damaged was the egos of the system administrator's who claimed their crap was secure.. Oh and the egos of the FBI.
The vast majority of exploits by Mitnick were 'social engineering', not actual code attacks against servers. He's call up a secretary and pose as a salespuke who needed access for something, and basically bullsh!t a password out of him/her. Social Engineering can be an art form all its own, but it is not really 'hacking' in the negative sense.
"You know how to whistle, don't you, Steve? You just put your lips together - and blow."
KA-BLAM!!!
Hey, he can launch nuclear missiles by whistling into a phone /s
"I seem to recall that Mitnick was not nearly as good as he claimed to be--someone said there are IRC transcripts where ol' Mitnick is asking other people to compile and link his exploit code for him, because he didn't know how."
Mitnick's chops may have been good or fair. His real talent was social-engineering. He has the knack for getting on the phone and wheedling information out of unsuspecting folk. He once acquired the tech specs, schematics, and programming codes for the motorola "something-tac" phone by claiming to be a field rep. The hapless secretary/admin type faxed him the documents which enabled him to hack the phone and keep LE off his trail.
That takes some tech skill, but getting those docs was the real hack.
Malicious hackers, and more to the point, virus creators should rot in moldy, nasty prisons!!!
Top sends
...and you're drinking the kool-aide. Mitnick's primary talent was social engineering, getting passwords merely by asking. His technical attacks weren't all that sophisticated.
Maybe like Frank "Catch Me If You Can" Abagnale, Jr., Mitnick might be working for the Feds, now, ya know?!
"Are you gonna pull those pistols or whistle Dixie?"
That was part of his probation. His parole ended in 2003.
Mitnick was on Coast a couple nights ago. Evidently his skills are still in demand, but he is on the side of Good now.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.